(Vulnerability is Reasserted and Details Are Provided) Re: Kerio Personal Firewall Allows Remote Users to Cause a Protected Host to Crash
SecurityTracker Alert ID: 1005151|
SecurityTracker URL: http://securitytracker.com/id/1005151
(Links to External Site)
Date: Aug 29 2002
Denial of service via network, error, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network|
Exploit Included: Yes |
A denial of service vulnerability was reported in the Kerio Personal Firewall software for Microsoft Windows operating systems. A remote user can cause a host protected by the firewall software to crash.|
In the original message, NSSI-Research Labs warned that a remote user could cause the protected host's CPU utilization to reach 100%, even if the host's TCP/IP stack has been hardened. After that message, the vendor responded to deny the vulnerability (see the Message History for the vendor's message). NSSI-Research Labs subsequently issued another message reasserting the original claim and providing vulnerability details. In addition, a cross-site scripting flaw has been reported.
It is reported that the firewall is vulnerable to SYN flood attacks. A remote user can send 40 or more TCP SYN packets to cause the target host to stop responding and the host to eventually crash. This attack is reportedly successful even if the target host operating system has been hardened.
If the firewall is set to block all services and protocols, a remote user can send 500 or more TCP SYN packets to cause the target host to stop responding and CPU utilization to reach 100%.
Also, a remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will appear to originate from the local host (the firewall) and will run in the security context of the local host. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the firewall, access data recently submitted by the target user via web form to the firewall, or take actions on the firewall acting as the target user.
Some demonstration exploit URLs are provided:
A remote user can cause CPU utilization to reach 100% or the protected target host to crash.|
A remote user can also access the target user's cookies (including authentication cookies), if any, associated with the firewall software, access data recently submitted by the target user via web form to the firewall, or take actions on the firewall acting as the target user.
No solution was available at the time of this entry.|
Vendor URL: www.kerio.com/us/kpf_home.html (Links to External Site)
Exception handling error, Resource error, error|
|Underlying OS: Windows (Any)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: Re: Kerio Mail Server Multiple Security vulnerabilities|
This is a straight forward answer to what Mr. Jaroslav Snajdr of
Kerio.com mail server dev is claiming that kerio mail server is not
vulnerable. To clear things up and let the people judge.
by the way Mr. Snajdr im recieving emails that they confirmed
that the vulnerability in ur product DO EXIST. anyway i'll proceed to
the explanation in reproducing the vulnerability.
We will show u if this advisory is real or Not Bec. We Wil be
Releasing Another SECURITY ADVISORY against newest version of Kerio
1] Cross-Site Scripting Vulnerability with Kerio
"secure" Web Mail module.
Even Page 404 is vulnerable? funny. Mr. Kevin of spidy thanks ;)
SO Kerio is not vulnerable with Cross-site scripting? ;P now u g0t
idea how to recode ur InSecure coding style. Want to know more about
Crossite-scripting? REad the FAQ always and search it in google. ;p
Other is not yet to be devulge it will be released on the next
advisory this Week ;)
2] DOS Vulnerability with Every Kerio Mail Server Services.
Some people think (*shrrug*) that Securing the TCP/IP stack
of the Operating system could Protect their Application against DOS.
Let people judge:
Test Bed: [*nix with synflood)<----------->[Winnt with sp6A
/Win2k Sp3 with Kerio Mailserver] (note: all win servers are hardened
synmail = our synflood Proof of Concept Code
Kerio Mail Server IP = 192.168.0.1
Sendmail IP = 192.168.0.2
./synmail <destinationIP> <Port> <num of packets>
[root@NSSIlabs]# ./synmail 192.168.0.1 25 40
Targeting host 192.168.0.1 .......
[root@NSSIlabs]# telnet 192.168.0.1 25
telnet: Unable to connect to remote host: Connection refused
[root@NSSIlabs]# nc 192.168.0.1 25
note: no reply from netcat ;) meaning port is closed after
targeting port 25 with 40 syn packets
Vulnerable or No? ;)
Another Testing Against Other mail server: (against sendmail) ;)
./synmail <destinationIP> <Port> <num of packets>
[root@NSSIlabs]# ./synmail 192.168.0.2 25 50
Targeting host 192.168.0.2 .......
Note: as u would notice we increase syn packets to 50. ;)
[root@SunNinja remote]# telnet 192.168.0.2 25
Connected to 192.168.0.2.
Escape character is '^]'.
220 nssilabs.nssolution.COM ESMTP Sendmail 8.9.3/8.9.3; Wed, 28 Aug
Its for you to judge if this is wrong or right. People who's
reading this may test it on their own ;)
We will be releasing another Security Advisory regarding Newest
version of Kerio Mail Server ;)
Hey Mr. Snajdr if u think that this demo is not acceptable or so..
there's nothing we can do about it. We just found a flaw in your
application and we inform you about it before releasing the advisory
for u to release patch but unfortunately We recieve emails from you
that this vulnerability report is fake. anyway people who's reading
this will be the one to judge ;)
Thanks and good day! ;)
NSSI Research Labs
"When They say that their Technology is Un-Breakable they are
Lying..." - Bruce
Sign-up for your own FREE Personalized E-mail at Mail.com